Setting multiple CORS domains in Apache config

Apache, CORS

Setting multiple CORS domains in Apache config

We’ve written about CORS previously in our post about enabling CORS for FileMaker server. In that scenario we took the ‘get a bigger hammer’ approach and simply allowed access from all remote domains.

Header always set Access-Control-Allow-Origin "*"

In some scenarios this is the ‘right’ thing to do, but much of the time you want to limit requests to a specific domain. The above would be updated to:

Header always set Access-Control-Allow-Origin "https://sub.domain.com"

And then there are times when you need to allow more than one, but not all domains, and I always forget how to do that, and finding the Stack Overflow answer that does actually work with current versions of Apache can be bit hit and miss. So here’s the answer:

SetEnvIf Origin "https://(sub.domain.com|www.otherdomain.com|app.otherdomain.com)$" AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e

Many of the answers you’ll find on the web will make the ‘s’ on https optional, but this is 2019 and everything should be being done of https anyway, so it’s not in the example above.

This is as much a ‘note to self’ as anything, but hopefully it’ll help someone.

Leave A Comment

*
*